ENGLISH ABSTRACT: Model checking is a computer-aided verification technique that is used to verify properties
about the formal description of a system automatically. This technique has been applied
successfully to detect subtle errors in reactive systems. Such errors are extremely difficult to
detect by using traditional testing techniques. The conventional method of applying model
checking is to construct a model manually either before or after the implementation of a
system. Constructing such a model requires time, skill and experience. An alternative method
is to derive a model from an implementation automatically.
In this thesis two techniques of applying model checking to reactive systems are compared,
both of which have problems as well as advantages. Two specific strategies are compared in
the area of protocol development:
1. Structuring a protocol as a transition system, modelling the system, and then deriving
an implementation from the model.
2. Automatically translating implementation code to a verifiable model.
Structuring a reactive system as a transition system makes it possible to verify the control flow
of the system at implementation level-as opposed to verifying the control flow at abstract
level. The result is a closer correspondence between implementation and specification (model).
At the same time testing, which is restricted to small, independent code fragments that
manipulate data, is simplified significantly.
The construction of a model often takes too long; therefore, verification results may no longer
be applicable when they become available. To address this problem, the technique of automated
model extraction was suggested. This technique aims to reduce the time required to
construct a model by minimising manual input during model construction.
A transition system is a low-level formalism and direct execution through interpretation is feasible. However, the overhead of interpretation is the major disadvantage of this technique.
With automated model extraction there are disadvantages too. For example, differences
between the implementation and specification languages-such as constructs present in the
implementation language that cannot be expressed in the modelling language-make the
development of an automated model extraction tool extremely difficult.
In conclusion, the two techniques are compared against a set of software development considerations.
Since a specific technique is not always preferable, guidelines are proposed to help
select the best approach in different circumstances.